RSA Page Types, Securing the Digital World

E5 - The Flies and the Hornet - Holes in the Screen Door

Jan 26, 2016 | by RSA |

The Hunter sat in the shadows cast by the immense castle tower. Beneath his right hand purred his intrepid companion, The Cat. Together they languished in the relatively coolness of the shade waiting patiently. Their position gave them an excellent view of the gate leading into the inner realm of the castle. Staring across the courtyard, they silently inspected the line of figures filing in and out of the gate. The routine was well established. A figure approached; a guard blocked the path with hand extended; a credential was passed to another guard sitting in front of a small table; the guard noted the credential in a large tome on the table. The unknown became known and the guard stepped aside. The figure then disappeared from the glaring sun into the dim passageway leading to the interior of the massive complex of stone and mortar.

The Hunter had seen enough after an hour of watching the process. He stood and stretched his back. The Cat yawned, peered at the Hunter with shimmering eyes and reproached the man with a small snort for interrupting the animal's nap. The two walked toward the guard's small chamber next to the gate. The Hunter's ever-present feline compatriot padded silently behind him hiding from the sun in the Hunter's broad shadow. The guard hunching over the table looked up as the shadow of the Hunter passed over the volume of entry logs. The guard swallowed hard, nervously tapped his fingers on the table and looked into the Hunter's hardened gaze.

Dave Reinhardt was nervous. He usually maintained a sense of calm that permeated his demeanor. It took a rare occurrence to stir any level of concern. As CISO of MagnaCorp, he had been part of many sticky situations. He had ridden the waves of several episodes of turmoil, suspense and danger that bordered on catastrophe. But Dave had a sense of doom when Marty had called him at home the previous evening requesting a meeting first thing in the morning. Marty rarely did that. In fact, every instance Marty insisted on an early morning meeting resulted in a tense conversation followed by more tense conversations with Dave's own peers. Dave took a sip of his morning coffee, glanced at his watch and waited.

He heard the bustle outside his office door and recognized Marty's strained voice greeting the security group's administrative assistant. Through the shades lining his office, Dave saw Marty accompanied by Greg and Erin. At that point, Dave's stomach flipped and he knew something was considerably more serious than he hoped. He waved through the window, beckoning the group into his office.

"Good morning, Marty. Greg. Erin. Come on in." Dave motioned for the three to take seats around the small table in the office. He grabbed his coffee and took the final seat at the table. It didn't take much to see the fatigue on the three administrators' faces.

"Are those new sneakers Marty? I like the neon orange and lime green combination." Dave said while pretending to shield his eyes with his hand. He could feel the tension break as the group chuckled.

"Thanks for noticing." Marty responded, giving Greg a sideways 'at least somebody has fashion sense' look. Erin rolled her eyes.

Marty flipped his laptop onto the table and connected it to a small projector. "Thanks for making the time. I think you need to hear this."

"Of course. Let's dig in."

Marty began his debrief quickly. First, he highlighted the key points that led him towards his investigation. He walked through his analysis of user activity after the comments made by their new technology partner's random observation of increased administrative access to shared systems. This led him to backtrack to internal MagnaCorp systems. As he unraveled the tale, Erin and Greg added various points on their investigative process.

"The main indicator we have is the massive increase in usage of PowerShell. Admins use it fairly often but as we started to look at logs, we saw a spike in usage, especially over remote sessions." Marty stated.

"But isn't that normal, Erin?" Dave interjected.

"Yes, we do use PowerShell." Erin answered. "But the user activity doesn't sync with typical operations. We have logged remote sessions kicked off at odd hours. One admin account was being used extensively. The bad news is that particular admin is on vacation. We had another account being used that is assigned to a developer on maternity leave. It's pretty obvious that these are not right."

Marty nodded. "We also saw some disturbing evidence on some systems. Greg found remnants of Mimikatz on one system. I also found usage of NTDSUtil on random systems."

"Ok, Marty. Speak executive language. What's this mean?" Dave's voice tightened. His sense of doom was going up.

"We have some serious compromises here. The attacker - or attackers - we really can't tell yet - have been targeting our Active Directory in a significant way. We do not believe Domain Administrator access has been cracked but there are several IT admin and end user accounts that are definitely being used."

Erin interrupted. "Our Domain Admin controls are solid. We randomize local admin account passwords. We implemented fine grain password policies on our service accounts. Our domain admin accounts use two-factor authentication and are significantly restricted. Obviously our PowerShell logging has helped as well."

"I agree." Marty added. "There is no indication the most powerful accounts are being used. And I haven't found evidence of any deep hooks. The big thing I want to raise up though is that the attackers have been doing some serious knocking around some of the shared systems with vNextGen. They have also spent time looking at our internal systems that are used by the vendor group - and our legal team - to handle documentation around the alliance."

Dave's grim countenance reflected the gravity of the situation.